Over the last 20 years or so, I’ve had a hand in the design and delivery of a wide variety of systems for handling Protectively Marked or otherwise sensitive data, from both the vendor side and the customer side. In every case, it was easier to prove the required level of assurance to the Accreditor, when the solution was built on certified products.

However, the certification schemes available – principally the internationally supported Common Criteria (ISO 15408 – originally ITSEC in the UK) and the UK’s CESG Assisted Product Scheme (CAPS) for crypto products – are aimed mainly at the higher Impact Levels. As a consequence, certification is a lengthy and expensive process for the vendor. This commitment of cost and time must inevitably be passed on to the purchaser. For systems handling data up to Impact Level 3 (or Protectively Marked as Restricted), the level of both functionality and assurance offered by CC or CAPS products is more than is needed and the cost often prohibitive.

Such systems form the bulk of deployments in the UK’s Public Sector and Critical National Infrastructure, so what has long been needed is a catalogue of commercial security products, approved for use at the lower Impact Levels. The progress from the Claims Test Mark Scheme, piloted by CSIA and the Cabinet Office from 2004 to this new scheme is well documented in the Excelgate blog. For me though, the most attractive attributes of the CPA scheme include:

CPA products are approved for use up to IL3 (CTM products may be used up to IL2);

The criteria for approval recognise that threat levels differ even at the same Impact Level and provide for a Foundation and Augmented level of approval for each product. This allows a product to be awarded Foundation level approval (relatively) quickly, while evaluation continues for Augmented level.

The process will accept evidence generated for other certification schemes, greatly reducing both the time and the cost to vendors of the approval process. Hopefully this will be reflected in a much wider range of security enabling products being submitted for approval.

A wide range of security characteristics have been defined against which products can be tested. The scheme has established 3 tiers of priority for initial product testing, ensuring that the most commonly required security mitigations are served first.

What Next?

Details of the transition from the CCTM scheme to CPA were published by CESG in February 2011. Acceptance of new products for CCTM evaluation will end in December 2011, with no product certificates remaining in force after December 2012. The CPA scheme goes live this month (April 2011) and of course, it remains to be seen how it works in practice. In my opinion, it will stand or fall by how well it succeeds in reducing the time and cost burden on vendors seeking approval. Success in that will ensure a wider range of solutions with security adequate to meet the business risk will be available to public sector customers, removing the need to over engineer their solutions in order to achieve accreditation. When that happens, everyone wins, not least the UK tax payer.